cybersecurity challenges p2p training presentations/p2p symposium...chief information security...
TRANSCRIPT
Cybersecurity Challenges
1Unclassified
April 2019
DoD is participating in a range of activities to improve the collective cybersecurity of the nation and protect U.S. interests:
• Secure DoD’s information systems and networks
• Implement contractual requirements to secure contractor systems and networks through the Federal Acquisition Regulation (FAR) and Defense Federal Acquisition Regulation Supplement (DFARS)
• Leverage National Institute of Standards and Technology (NIST) information security standards and guidelines for federal and nonfederal information systems
• Codify cybersecurity responsibilities and procedures for the acquisition workforce in defense acquisition policy
What DoD Is Doing
Unclassified 2
Implementing contractual requirements through the Federal Acquisition Regulation (FAR)/Defense Federal Acquisition Regulation Supplement (DFARS):
• FAR Clause 52.204-2, Security Requirements (for classified information)• DFARS Clause 252.239-7010, Cloud Computing Services• DFARS Clause 252.246-7007, Contractor Counterfeit Electronic Part
Detection and Avoidance System and DFARS Clauses 252.246-7008, Sources of Electronic Parts
• DFARS 252.239-7018, Supply Chain Risk • FAR Clause 52.204-23, Prohibition on Contracting for Hardware, Software, and
Services Developed or Provided by Kaspersky Lab and Other Covered Entities
• FAR Clause 52.204-21, Basic Safeguarding of Covered Contractor Information Systems
• DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting (and DFARS Provision 252.204-7008, Compliance with Safeguarding Covered Defense Information Controls)
Contractual Requirements in the FAR/DFARS
Unclassified 3
Syst
ems
Ow
ned/
Ope
rate
d by
the
Con
trac
tor
Syst
ems
Ow
ned/
Ope
rate
dby
the
Gov
ernm
ent
• Vendor Identity- Strengthening vendor vetting procedures across SAM and
CAGE platforms- Developing the capability to determine large industry
business segments/divisions
• Supply Chain Risk- Section 2339a- Prohibited Vendors
• Connecting Risk to Product
• Protection of Unclassified Data
Challenges
Unclassified 4
Unclassified 5
DFARS 252.239-7018 Supply Chain Risk - Requirements
• DFARS Clause 252.239-7018 permits DoD to consider the impact of supply chain risk in procurements related to national security systems (i.e., ‘covered system’ or a "covered item of supply)
• Originally provided by Section 806 of NDAA for FY2011, and subsequently updated, made permanent, and codified at Section 2339a of Title 10, USC, these authorities:- Permit exclusion of source failing to achieve an acceptable rating with regard
to an evaluation factor providing for the consideration of supply chain risk
- Permit DoD to limit disclosure of information relating to the basis for excluding a source if risk to national security due to disclosure is greater than the risk due to nondisclosure.
• DoD established new procedures in 2018 to authorize USD(A&S) and Section 2339a Authorized Officials in the Military Departments to make Class Determinations to exercise Section 2339a authority for a class of procurements.
Unclassified 6
DFARS 252.239-7018, Supply Chain Risk
Supply Chain Risk and the Supplier Performance Risk System (SPRS)
• DoD expanded user access to SPRS to all DoD acquisition personnel and acquisition personnel in other agencies supporting DoD on an assisted acquisition basis, to ensure access to Section 2339a Class Determination decisions.
• When procuring or integrating IT into a DoD national security systems (i.e., a ‘covered system’ or "covered item of supply), acquisition and procurement officials should check the 10 U.S.C. 2339a list in SPRS prior to:- Releasing a sole source RFP- Setting the competitive range- Awarding contracts, delivery/task orders, and federal supply schedule
contracts/modifications that add new work or exercise an option.
For more information see https://www.acq.osd.mil/dpap/pdi/cyber/enhanced_procedures_for_supply_chain_risk_management.html
Unclassified 7
Legislation and Regulations Addressing the Link Between Products and Risk
• Section 1634 of NDAA FY18 - Prohibits the use of products and services developed or provided by Kaspersky Lab- FAR Case 2018-10, Use of Products and Services of Kaspersky Lab (FAR Part 52.204-23)
• Section 889 of NDAA FY19 - Prohibits procurement of covered equipment/services from Huawei Technologies Company, ZTE Corporation, Hytera Communications Corporation, Hangzhou Technology Company or Dahua Technology Company (or subsidiaries/affiliates) - FAR Case 2018-017, Prohibition on Certain Telecommunications and Video Surveillance
Services or Equipment - FAR Case 2019-009, Prohibition on Contracting with Entities Using Certain
Telecommunications and Video Surveillance Services or Equipment
• Section 1656 NDAA FY18 - Provides that DoD may not procure/obtain/extend/renew contract to provide/obtain any equipment/system/service to carry out DoD nuclear deterrence mission or the DoD homeland defense mission if such equipment/ system/service uses covered telecommunications equipment or services as a substantial or essential component of any system or as a critical technology as a part of any system. - DFARS Case 2018-D022 Covered Telecommunications Equipment or Services
Unclassified 8
Legislation and Regulations Addressing the Link Between Product and Risk
• Section 1655 of NDAA FY19 – Requires certain offerors and contractors to disclose foreign obligations
- DFARS Case 2018-D064, Disclosure of Information Regarding Foreign Obligations
• Section 1603 of NDAA FY18 - Imposes prohibitions with regard to acquisition of certain foreign commercial satellite services.
• Section 1296 of NDAA FY17 - Prohibits purchase of items from a Communist Chinese military company that meet the definition of goods and services controlled as munitions items when moved to the 600 series of the Commerce Control List of the Export Administration Regulations of the Dept of Commerce.
• Sections 1754 and Section 1766 of NDAA FY19 – Address the determination by the Secretary of state with regard to the list of countries that are sponsors of state terrorism.
- DFARS Case 2018-D020, Foreign Commercial Satellite Services and Certain Items on the Commerce Control List
Unclassified 9
Protecting the DoD’s Unclassified Information
DFARS Clause 252.204-7012, and/or FAR Clause 52.204-21, and security requirements from NIST SP 800-171 apply
Cloud Service Provider (CSP)
DoD Owned and/or Operated Information System
System Operated on Behalf of the DoD
Contractor’s Internal System
Controlled Unclassified Information
Federal Contract Information
Covered Defense Information (DoD CUI)
Controlled Unclassified Information (USG-wide)
External CSPEquivalent
to FedRAMPModerate
CSP
Internal CloudNIST SP 800-171
DoD Information System
CSPDoD Cloud
Computing SRG
Risk Management Framework and ‘Authority to Operate’
shall apply
DFARS Clause 252.239-7018,
may apply
When cloud services are used to process data on the DoD’s behalf, DFARS Clause 252.239-7010 and the DoD
Cloud Computing SRG apply
Protecting the DoD’s Unclassified Information -Stakeholders
Unclassified 10
Department of Defense
DoD CIO• Cybersecurity• Defense Cyber Crime Center (DC3)
OUSD(R&E)• Strategic Technology, Protection, & Exploitation• Joint Acquisition, Protection, & Exploitation Cell
(JAPEC) and Damage Assessment Office (DAMO)
OUSD(A&S)• Defense Pricing & Contracting (DPC)• Defense Contract Management Agency
(DCMA)
DoD Components• Program Office/Requiring Activity • Damage Assessment Offices (DAMOs)• CISOs/CIOs/IT Security Specialists
General Counsel OUSD(I)• Defense Security Service (DSS)
Industry• Chief Information Security Officers (CISOs)• Information Technology (IT) Security Specialists• Contracting • Facility Security Specialists• Counsel • Project Managers
DFARS Clause 252.204-7012 Requirements
Requires the program office/requiring activity to:
• Mark or otherwise identify in the contract, task order, or delivery order covered defense information provided to the contractor by or on behalf of, DoD in support of the performance of the contract
Requires the contractor/subcontractor to:• Provide adequate security to safeguard covered defense information that resides
on or is transiting through a contractor’s internal information system or network• Report cyber incidents that affect a covered contractor information system or the
covered defense information residing therein, or that affect the contractor’s ability to perform requirements designated as operationally critical support
• Submit malicious software discovered and isolated in connection with a reported cyber incident to the DoD Cyber Crime Center
• Submit media/information as requested to support damage assessment activities • Flow down the clause in subcontracts for operationally critical support,
or for which subcontract performance will involve covered defense information
Unclassified 11
Unclassified 12
Adequate Security to Safeguard Covered Defense Information
To provide adequate security to safeguard covered defense information:
DFARS 252.204-7012 (b) Adequate Security. … the contractor shall implement, at a minimum, the following information security protections:***(b)(2)(ii)(A): The contractor shall implement NIST SP 800-171, Protecting CUI in Nonfederal Systems and Organizations, as soon as practical, but not later than December 31, 2017 ***(b)(3): Apply other information systems security measures when the Contractor reasonably determines that information systems security measures, in addition to those identified in paragraphs (b)(1) and (2) of this clause, may be required
DFARS 252.204-7012 directs how the contractor shall protect covered defense information;The requirement to protect it is based in law, regulation, or Government wide policy.
Contractor Compliance — Implementation of DFARS Clause 252.204-7012
• By signing the contract, the contractor agrees to comply with the terms of the contract and all requirements of the DFARS Clause 252.204-7012
• It is the contractor’s responsibility to determine whether it is has implemented NIST SP 800-171 (as well as any other security measures necessary to provide adequate security for covered defense information) The scope of DFARS Clause 252.205-7012 does not require DoD to ‘certify’
that a contractor is compliant with the NIST SP 800-171 security requirements
The scope of DFARS Clause 252.205-7012 does not require the contractor to obtain third party assessments or certifications of compliance
DoD does not recognize third party assessments/certifications of compliance
• Per NIST SP 800-171, federal agencies may consider the submitted system security plan and plans of action as critical inputs to an overall risk management decision to process, store, or transmit CUI on a nonfederal organization information systems/networks.
Unclassified 13
Existing Oversight of DFARS Clause 252.204-7012Defense Contract Management Agency (DCMA)
Actions DCMA will take in response to DFARS Clause 252.204-7012:• Encourage industry to adopt corporate, segment, or facility-level system security plans
as may be appropriate in order to ensure more consistent implementations and to reduce costs
• Verify that system security plans and any associated plans of action are in place (DCMA will not assess plans against the NIST 800-171 requirements)
• If potential cybersecurity issue is detected –notify contractor, DoD program office, and DoD CIO
• During the normal Contract Receipt and Review process -verify that DFARS Clause 252.204-7012 is flowed down to sub-contractors/suppliers as appropriate
• For contracts awarded before October 2017 -verify that contractor submitted to DoD CIO notification of security requirements not yet implemented
• Verify contractor possesses DoD-approved medium assurance certificate to report cyber incidents
• When required, facilitate entry of government assessment team into contractor facilities via coordination with cognizant government and contractor stakeholders
Unclassified 14
Strategies to Enhance Cybersecurity Measures Provided by DFARS Clause 252.204-7012 and NIST SP 800-171
DPC Memo (Nov 6, 2018), Subject: Guidance for Assessing Compliance and Enhancing Protections Required by DFARS Clause 252.204-7012
• Provides acquisition personnel with framework of tailorable actions to assess the contractor’s approach to protecting DoD CUI
• Provides guidance for reviewing system security plans and any NIST SP 800-171 security requirements not yet implemented
• Includes sample Contract Data Requirements Lists (CDRLs) and associated Data Item Descriptions (DIDs)
ASD(A&S) Memo (Dec 17, 2018), Subject: Strengthening Contract Requirements Language for Cybersecurity in the Defense Industrial Base
• Provides program offices and requiring activities with sample Statement of Work (SOW) language to be used in conjunction with DPC guidance
• Addresses access to/delivery of the contractor’s system security plan, access to/delivery of the contractor’s plan to track flow down of DoD CUI and plan to assess of compliance of Tier 1 Level suppliers
Unclassified 15
Strategies to Enhance Cybersecurity Measures Provided by DFARS Clause 252.204-7012 and NIST SP 800-171
USD(A&S) Memo (Jan 21, 2019), Subject: Addressing Cybersecurity Oversight as Part of a Contractor's Purchasing System Review• DCMA will leverage review of contractor purchasing systems in accordance with DFARS
Clause 252.244-7001, Contractor Purchasing System Administration, to: Review contractor procedures to ensure contractual requirements for identifying/
marking DoD CUI flow down appropriately to their Tier 1 Level Suppliers Review contractor procedures to assess compliance of Tier 1 Level Suppliers with
DFARS Clause 252.204-7012 and NIST SP 800-171
USD(A&S) Memo (Feb 5, 2019), Subject: Strategically Implementing Cybersecurity Contract Clauses• DCMA will apply a standard DoD CIO methodology to recognize industry cybersecurity
readiness at a strategic level. • DCMA will pursue, at a corporate level, the bilateral modification of contracts
administered by DCMA to strategically (i.e., not contract-by-contract) obtain/assess contractor system security plans
See DPC Website at https://www.acq.osd.mil/dpap/pdi/cyber/guidance_for_assessing_compliance _and_enhancing_protections.html
Unclassified 16
Enhanced Security Requirements to Address the Advanced Persistent Threat (APT)
What is the Advanced Persistent Threat (APT)?• The APT - an adversary with sophisticated levels of expertise, significant resources -
uses multiple attack vectors including cyber, physical, and deception to achieve its objectives.
• These objectives typically include establishing and/or extending footholds within the infrastructure of targeted organizations in order to exfiltrate information, or undermine/impede critical aspects of a mission, program, and/or organization.
NIST is developing NIST 800-171B, "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations: Enhanced Security Requirements for High Value Assets" to identify requirements to protect CUI that is part of a critical program or a high value asset.
The requirements to protect CUI from the APT will appear in a separate publication--NIST 800-171B, "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations: Enhanced Security Requirements for High Value Assets." #ProtectCUI
Ron Ross Tweet
Unclassified 17